Your Yello Ring Road To Success
GOOGLE LOGIN MY ADS MY SHOP

CISA Warns of Actively Exploited Zoho ManageEngine ADSelfService Vulnerability

Zoho ManageEngine ADSelfService VulnerabilityZoho ManageEngine ADSelfService Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA)
on Wednesday issued a bulletin warning of a zero-day flaw affecting
Zoho ManageEngine ADSelfService Plus deployments that is currently
being actively exploited in the wild.

The flaw, tracked as CVE-2021-40539[1], concerns a REST API
authentication bypass that could lead to arbitrary remote code
execution (RCE). ADSelfService Plus builds up to 6113 are
impacted.

ManageEngine ADSelfService Plus is an integrated self-service
password management and a single sign-on solution for Active
Directory and cloud apps, enabling admins to enforce two-factor
authentication for application logins and users to reset their
passwords.

“CVE-2021-40539 has been detected in exploits in the wild. A
remote attacker could exploit this vulnerability to take control of
an affected system,” CISA said[2], urging companies to
apply the latest security update to their ManageEngine servers and
“ensure ADSelfService Plus is not directly accessible from the
internet.”

In an independent advisory, Zoho cautioned[3]
that it’s a “critical issue” and that it’s “noticing indications of
this vulnerability being exploited.”

“This vulnerability allows an attacker to gain unauthorized
access to the product through REST API endpoints by sending a
specially crafted request,” the company said. “This would allow the
attacker to carry out subsequent attacks resulting in RCE.”

CVE-2021-40539 is the fifth security weakness disclosed in
ManageEngine ADSelfService Plus since the start of the year, three
of which — CVE-2021-37421[4]
(CVSS score: 9.8), CVE-2021-37417[5]
(CVSS score: 9.8), and CVE-2021-33055[6]
(CVSS score: 9.8) — were addressed in recent updates. A fourth
vulnerability, CVE-2021-28958[7]
(CVSS score: 9.8), was rectified in March 2021.

This development also marks the second time a flaw in Zoho
enterprise products has been actively exploited in real-world
attacks. In March 2020, APT41 actors were found[8]
leveraging an RCE flaw in ManageEngine Desktop Central (CVE-2020-10189[9], CVSS score: 9.8) to
download and execute malicious payloads in corporate networks as
part of a global intrusion campaign.

References

  1. ^
    CVE-2021-40539
    (nvd.nist.gov)
  2. ^
    said
    (us-cert.cisa.gov)
  3. ^
    cautioned
    (www.manageengine.com)
  4. ^
    CVE-2021-37421
    (nvd.nist.gov)
  5. ^
    CVE-2021-37417
    (nvd.nist.gov)
  6. ^
    CVE-2021-33055
    (nvd.nist.gov)
  7. ^
    CVE-2021-28958
    (nvd.nist.gov)
  8. ^
    found
    (www.fireeye.com)
  9. ^
    CVE-2020-10189
    (nvd.nist.gov)

Read more